Zap DomXSS plugin failing
502 views
Skip to first unread message
zap tester
Mar 23, 2022, 8:10:44 AM3/23/22
to OWASP ZAP User Group
Hi,
The DomXSS active scanner plugin is failing when running in daemon mode. Following is the configuration and output. Sorry if the error output is hard to read. I did not see a way to put it in a code block. Any help is appreciated!
zap version: 2.11.1
zap command line options:
zap.sh -daemon -port 8181 -config connection.timeoutInSecs=60 -config api.key=test -config connection.proxyChain.enabled=true -config connection.proxyChain.hostName=127.0.0.1 -config connection.proxyChain.port=8080
Stack trace:
52718300 [Thread-5640] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https:/redacted.com | DomXssScanRule strength MEDIUM threshold MEDIUM
1648036255998 geckodriver INFO Listening on 127.0.0.1:16812
1648036256069 mozrunner::runner INFO Running command: "/usr/bin/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofileLS9qH7"
*** You are running in headless mode.
console.error: Region.jsm: "Failed to fetch region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
1648036274435 Marionette INFO Listening on port 38785
1648036274481 Marionette WARN TLS certificate errors will be ignored for this session
Mar 23, 2022 7:51:14 AM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
52737369 [ZAP-ProxyThread-58114] ERROR org.parosproxy.paros.core.proxy.ProxyThread - An error occurred while notifying listener:
java.lang.IllegalStateException: Connection factory has been shutdown.
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager.doGetConnection(MultiThreadedHttpConnectionManager.java:463) ~[commons-httpclient-3.1.jar:2.11.1]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager.getConnectionWithTimeout(MultiThreadedHttpConnectionManager.java:416) ~[commons-httpclient-3.1.jar:2.11.1]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:189) ~[zap-2.11.1.jar:2.11.1]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:430) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:672) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:627) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:602) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.sendAndReceiveImpl(HttpSender.java:1034) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:994) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:313) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:246) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:218) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.access$000(DomXssScanRule.java:66) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule$1.onHttpRequestSend(DomXssScanRule.java:240) ~[?:?]
at org.parosproxy.paros.core.proxy.ProxyThread.notifyOverrideListenersRequestSend(ProxyThread.java:747) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:541) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:319) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:831) [?:?]
(firefox-esr:13773): Gtk-CRITICAL **: 07:51:26.496: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox-esr:13773): Gtk-CRITICAL **: 07:51:26.499: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox-esr:13773): Gtk-CRITICAL **: 07:51:26.499: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
ExceptionHandler::GenerateDump cloned child 13985
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
1648036287310 geckodriver::marionette ERROR Failed to close browser connection: Socket not connected (os error 107)
52911521 [ZAP-ActiveScanner-0] ERROR org.zaproxy.zap.extension.domxss.DomXssScanRule - Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'redacted', ip: '192.168.122.124', os.name: 'Linux', os.arch: 'amd64', os.version: '4.19.0-16-amd64', java.version: '16.0.1'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 78.15.0, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20210927121355, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 13773, moz:profile: /tmp/rust_mozprofileLS9qH7, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: 4.19.0-16-amd64, rotatable: false, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 422b8fd9-2b6a-442c-80af-057d15042480
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'redacted', ip: '192.168.122.124', os.name: 'Linux', os.arch: 'amd64', os.version: '4.19.0-16-amd64', java.version: '16.0.1'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 78.15.0, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20210927121355, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 13773, moz:profile: /tmp/rust_mozprofileLS9qH7, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: 4.19.0-16-amd64, rotatable: false, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 422b8fd9-2b6a-442c-80af-057d15042480
at jdk.internal.reflect.GeneratedConstructorAccessor83.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.createException(W3CHttpResponseCodec.java:187) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:122) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:49) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:158) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:83) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:552) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:277) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:349) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:656) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:333) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:831) [?:?]
1648036255998 geckodriver INFO Listening on 127.0.0.1:16812
1648036256069 mozrunner::runner INFO Running command: "/usr/bin/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofileLS9qH7"
*** You are running in headless mode.
console.error: Region.jsm: "Failed to fetch region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
1648036274435 Marionette INFO Listening on port 38785
1648036274481 Marionette WARN TLS certificate errors will be ignored for this session
Mar 23, 2022 7:51:14 AM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
52737369 [ZAP-ProxyThread-58114] ERROR org.parosproxy.paros.core.proxy.ProxyThread - An error occurred while notifying listener:
java.lang.IllegalStateException: Connection factory has been shutdown.
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager.doGetConnection(MultiThreadedHttpConnectionManager.java:463) ~[commons-httpclient-3.1.jar:2.11.1]
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager.getConnectionWithTimeout(MultiThreadedHttpConnectionManager.java:416) ~[commons-httpclient-3.1.jar:2.11.1]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:189) ~[zap-2.11.1.jar:2.11.1]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:430) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:672) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:627) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:602) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.sendAndReceiveImpl(HttpSender.java:1034) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:994) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:313) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:246) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:218) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.access$000(DomXssScanRule.java:66) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule$1.onHttpRequestSend(DomXssScanRule.java:240) ~[?:?]
at org.parosproxy.paros.core.proxy.ProxyThread.notifyOverrideListenersRequestSend(ProxyThread.java:747) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:541) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:319) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:831) [?:?]
(firefox-esr:13773): Gtk-CRITICAL **: 07:51:26.496: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox-esr:13773): Gtk-CRITICAL **: 07:51:26.499: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox-esr:13773): Gtk-CRITICAL **: 07:51:26.499: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
ExceptionHandler::GenerateDump cloned child 13985
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
1648036287310 geckodriver::marionette ERROR Failed to close browser connection: Socket not connected (os error 107)
52911521 [ZAP-ActiveScanner-0] ERROR org.zaproxy.zap.extension.domxss.DomXssScanRule - Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'redacted', ip: '192.168.122.124', os.name: 'Linux', os.arch: 'amd64', os.version: '4.19.0-16-amd64', java.version: '16.0.1'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 78.15.0, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20210927121355, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 13773, moz:profile: /tmp/rust_mozprofileLS9qH7, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: 4.19.0-16-amd64, rotatable: false, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 422b8fd9-2b6a-442c-80af-057d15042480
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'redacted', ip: '192.168.122.124', os.name: 'Linux', os.arch: 'amd64', os.version: '4.19.0-16-amd64', java.version: '16.0.1'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 78.15.0, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20210927121355, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 13773, moz:profile: /tmp/rust_mozprofileLS9qH7, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: 4.19.0-16-amd64, rotatable: false, setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: 422b8fd9-2b6a-442c-80af-057d15042480
at jdk.internal.reflect.GeneratedConstructorAccessor83.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.createException(W3CHttpResponseCodec.java:187) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:122) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:49) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:158) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:83) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:552) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:277) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:349) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:656) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:333) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:831) [?:?]
Simon Bennetts
Apr 5, 2022, 4:27:18 AM4/5/22
to OWASP ZAP User Group
What version of Firefox do you have installed?
Does it run ok from the command line?
Cheers,
Simon
zap tester
Apr 11, 2022, 12:31:58 PM4/11/22
to OWASP ZAP User Group
Simon,
Sorry for the late reply, I had kind of given up on a response and quit monitoring the thread. That said - thank you for the follow up.
I had been running version 78.15.0esr. Just upgraded to 91.8.0esr.
I tried running from the command line with:
/usr/bin/firefox --marionette -headless -foreground -no-remote -profile /tmp/my_test
This ran without error. Are there any follow-up tests you would like me to run?
Here is the output from the most recent run using updated firefox:
335563 [Thread-8] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://[REDACTED] | DomXssScanRule strength MEDIUM threshold MEDIUM
1649691813178 geckodriver INFO Listening on 127.0.0.1:3212
1649691816855 mozrunner::runner INFO Running command: "/usr/bin/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofilexY8Rbi"
1649691813178 geckodriver INFO Listening on 127.0.0.1:3212
1649691816855 mozrunner::runner INFO Running command: "/usr/bin/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofilexY8Rbi"
*** You are running in headless mode.
359743 [ZAP-PassiveScanner] WARN org.zaproxy.zap.extension.pscan.PassiveScanThread - Passive Scan rule Timestamp Disclosure took 21 seconds to scan https://[REDACTED] application/javascript 345990
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: glxtest: libEGL missing
1649691843639 Marionette INFO Marionette enabled
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at /tmp/rust_mozprofilexY8Rbi/search.json.mozlz4", (void 0)))
console.error: Region.jsm: "Error fetching region" (new Error("TIMEOUT", "resource://gre/modules/Region.jsm", 772))
console.error: Region.jsm: "Failed to fetch region" (new Error("TIMEOUT", "resource://gre/modules/Region.jsm", 419))
1649691902804 Marionette INFO Listening on port 37821
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: glxtest: libEGL missing
1649691843639 Marionette INFO Marionette enabled
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at /tmp/rust_mozprofilexY8Rbi/search.json.mozlz4", (void 0)))
console.error: Region.jsm: "Error fetching region" (new Error("TIMEOUT", "resource://gre/modules/Region.jsm", 772))
console.error: Region.jsm: "Failed to fetch region" (new Error("TIMEOUT", "resource://gre/modules/Region.jsm", 419))
1649691902804 Marionette INFO Listening on port 37821
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
Exiting due to channel error.
[GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
471573 [ZAP-ActiveScanner-0] WARN org.zaproxy.zap.extension.domxss.DomXssScanRule - Skipping scanner, failed to start browser: Connection refused (os error 111)
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '[REDACTED]', ip: '[REDACTED]', os.name: 'Linux', os.arch: 'amd64', os.version: '4.19.0-16-amd64', java.version: '16.0.1'
Driver info: driver.version: FirefoxDriver
remote stacktrace:
471598 [Thread-8] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [failed to start or connect to the browser] https://[REDACTED] | DomXssScanRule in 136.035s with 0 message(s) sent and 0 alert(s) raised.
Driver info: driver.version: FirefoxDriver
remote stacktrace:
471598 [Thread-8] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [failed to start or connect to the browser] https://[REDACTED] | DomXssScanRule in 136.035s with 0 message(s) sent and 0 alert(s) raised.
It looks like this may be an issue with GFX1? Also this is running on a VM with no display attached. I have tried starting x (with the dummy video driver) prior to running zap but that did not seem change anything.
Please let me know what else to try. Your help is very appreciated!!!
ornhre ornhre
Apr 18, 2022, 12:39:56 PM4/18/22
to OWASP ZAP User Group
bump...
Tuvshin
May 25, 2022, 2:51:25 AM5/25/22
to OWASP ZAP User Group
I have same issue here. The error occures on latest docker image of zap. Any suggestion would be appreciable.
Simon Bennetts
May 25, 2022, 4:06:56 AM5/25/22
to OWASP ZAP User Group
Which docker image? We have 3 :)
If its the stable image do you check for updates first?
If not you'll need to do that.
We run a series of tests against vulnerable apps every day and these are showing that the DOM XSS scan rule is working fine in the live docker image.
If you still have problems please share the ocmmand you are using to run ZAP, obfuscating any sensitive information of course.
Cheers,
Simon
tuv..@gmail.com
May 25, 2022, 5:25:08 AM5/25/22
to OWASP ZAP User Group
Hello Simon,
Thanks for reply. I'm using latest stable version of docker image (v2.11.1) and not checking updates first. We are using automation framework and calling it from Jenkins job.
Additionally, our environment is restricted to access internet. We opened only necessary URIs explicitly such as "https://cfu.zaproxy.org", "https://news.zaproxy.org", "https://tel.zaproxy.org".
Command is not exactly same as below but similar:
docker run --rm -v $(pwd):/zap/wrk/ owasp/zap2docker-stable /bin/sh -c "zap.sh -cmd -autorun /zap/wrk/zap.yaml";
Below is error log in zap.log
2022-05-23 06:47:01,235 [ZAP-ActiveScanner-1] ERROR DomXssScanRule - Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'xxxxxxxx', ip: 'xxxxxxxxx', os.name: 'Linux', os.arch: 'amd64', os.version: 'xxxxxxxxxxxxxxxxxxxxxxxxx', java.version: '11.0.14'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 98.0.2, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20220322144853, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 2551, moz:profile: /tmp/rust_mozprofileu2K1Jr, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: xxxxxxxxxxxxxxxxxxxxxxxxx , proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: 'xxxxxxxx', ip: 'xxxxxxxx', os.name: 'Linux', os.arch: 'amd64', os.version: '
xxxxxxxxxxxxxxxxxxxxxxxxx', java.version: '11.0.14'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 98.0.2, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20220322144853, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 2551, moz:profile: /tmp/rust_mozprofileu2K1Jr, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: xxxxxxxxxxxxxxxxxxxxxxxxx , proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
at jdk.internal.reflect.GeneratedConstructorAccessor88.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.createException(W3CHttpResponseCodec.java:187) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:122) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:49) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:158) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:83) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:552) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:277) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:349) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:656) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:333) [zap-2.11.1.jar:2.11.1]
This is exported log on console of Jenkins which seems Firefox headless exports.
Job activeScan started
Job activeScan set default strength to MEDIUM
Job activeScan set default threshold to MEDIUM
1653466130575 geckodriver INFO Listening on 127.0.0.1:20379
1653466130567 geckodriver INFO Listening on 127.0.0.1:8191
1653466130743 mozrunner::runner INFO Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofileMcNNhn"
1653466130745 mozrunner::runner INFO Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofileFRmjA8"
*** You are running in headless mode.
*** You are running in headless mode.
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: glxtest: libEGL missing
[GFX1-]: No GPUs detected via PCI
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: glxtest: libEGL missing
[GFX1-]: No GPUs detected via PCI
1653466131389 Marionette INFO Marionette enabled
1653466131389 Marionette INFO Marionette enabled
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at /tmp/rust_mozprofileMcNNhn/search.json.mozlz4", (void 0)))
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at /tmp/rust_mozprofileFRmjA8/search.json.mozlz4", (void 0)))
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
1653466133064 Marionette INFO Listening on port 41275
1653466133132 RemoteAgent WARN TLS certificate errors will be ignored for this session
May 25, 2022 8:08:53 AM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
1653466133280 Marionette INFO Listening on port 38045
1653466133358 RemoteAgent WARN TLS certificate errors will be ignored for this session
May 25, 2022 8:08:53 AM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
(firefox:1047): Gtk-CRITICAL **: 08:08:56.447: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox:1047): Gtk-CRITICAL **: 08:08:56.447: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox:1047): Gtk-CRITICAL **: 08:08:56.447: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
ExceptionHandler::GenerateDump cloned child 1853
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
(firefox:1049): Gtk-CRITICAL **: 08:08:56.460: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox:1049): Gtk-CRITICAL **: 08:08:56.460: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox:1049): Gtk-CRITICAL **: 08:08:56.460: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
ExceptionHandler::GenerateDump cloned child ExceptionHandler::WaitForContinueSignal waiting for continue signal...
1854
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
1653466137088 geckodriver::marionette ERROR Failed to close browser connection: Socket not connected (os error 107)
1653466177338 geckodriver INFO Listening on 127.0.0.1:21152
1653466177334 geckodriver INFO Listening on 127.0.0.1:28225
Thanks for reply. I'm using latest stable version of docker image (v2.11.1) and not checking updates first. We are using automation framework and calling it from Jenkins job.
Additionally, our environment is restricted to access internet. We opened only necessary URIs explicitly such as "https://cfu.zaproxy.org", "https://news.zaproxy.org", "https://tel.zaproxy.org".
Command is not exactly same as below but similar:
docker run --rm -v $(pwd):/zap/wrk/ owasp/zap2docker-stable /bin/sh -c "zap.sh -cmd -autorun /zap/wrk/zap.yaml";
Below is error log in zap.log
2022-05-23 06:47:01,235 [ZAP-ActiveScanner-1] ERROR DomXssScanRule - Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 98.0.2, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20220322144853, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 2551, moz:profile: /tmp/rust_mozprofileu2K1Jr, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: xxxxxxxxxxxxxxxxxxxxxxxxx , proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
org.openqa.selenium.NoSuchSessionException: Tried to run command without establishing a connection
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 98.0.2, javascriptEnabled: true, moz:accessibilityChecks: false, moz:buildID: 20220322144853, moz:geckodriverVersion: 0.30.0, moz:headless: true, moz:processID: 2551, moz:profile: /tmp/rust_mozprofileu2K1Jr, moz:shutdownTimeout: 60000, moz:useNonSpecCompliantPointerOrigin: false, moz:webdriverClick: true, pageLoadStrategy: normal, platform: LINUX, platformName: LINUX, platformVersion: xxxxxxxxxxxxxxxxxxxxxxxxx , proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: ignore}
Session ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
at jdk.internal.reflect.GeneratedConstructorAccessor88.newInstance(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.createException(W3CHttpResponseCodec.java:187) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:122) ~[?:?]
at org.openqa.selenium.remote.http.W3CHttpResponseCodec.decode(W3CHttpResponseCodec.java:49) ~[?:?]
at org.openqa.selenium.remote.HttpCommandExecutor.execute(HttpCommandExecutor.java:158) ~[?:?]
at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:83) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:552) ~[?:?]
at org.openqa.selenium.remote.RemoteWebDriver.get(RemoteWebDriver.java:277) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.returnDriver(DomXssScanRule.java:349) ~[?:?]
at org.zaproxy.zap.extension.domxss.DomXssScanRule.scan(DomXssScanRule.java:656) ~[?:?]
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:333) [zap-2.11.1.jar:2.11.1]
This is exported log on console of Jenkins which seems Firefox headless exports.
Job activeScan started
Job activeScan set default strength to MEDIUM
Job activeScan set default threshold to MEDIUM
1653466130575 geckodriver INFO Listening on 127.0.0.1:20379
1653466130567 geckodriver INFO Listening on 127.0.0.1:8191
1653466130743 mozrunner::runner INFO Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofileMcNNhn"
1653466130745 mozrunner::runner INFO Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-no-remote" "-profile" "/tmp/rust_mozprofileFRmjA8"
*** You are running in headless mode.
*** You are running in headless mode.
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: glxtest: libEGL missing
[GFX1-]: glxtest: libpci missing
[GFX1-]: glxtest: Unable to open a connection to the X server
[GFX1-]: glxtest: libEGL missing
1653466131389 Marionette INFO Marionette enabled
1653466131389 Marionette INFO Marionette enabled
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at /tmp/rust_mozprofileFRmjA8/search.json.mozlz4", (void 0)))
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
1653466133064 Marionette INFO Listening on port 41275
1653466133132 RemoteAgent WARN TLS certificate errors will be ignored for this session
May 25, 2022 8:08:53 AM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
1653466133280 Marionette INFO Listening on port 38045
1653466133358 RemoteAgent WARN TLS certificate errors will be ignored for this session
May 25, 2022 8:08:53 AM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
(firefox:1047): Gtk-CRITICAL **: 08:08:56.447: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox:1047): Gtk-CRITICAL **: 08:08:56.447: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox:1047): Gtk-CRITICAL **: 08:08:56.447: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
ExceptionHandler::GenerateDump cloned child 1853
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
(firefox:1049): Gtk-CRITICAL **: 08:08:56.460: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(firefox:1049): Gtk-CRITICAL **: 08:08:56.460: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
ExceptionHandler::GenerateDump cloned child ExceptionHandler::WaitForContinueSignal waiting for continue signal...
1854
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
1653466136969 geckodriver::marionette ERROR Failed to close browser connection: Socket not connected (os error 107)Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
1653466177338 geckodriver INFO Listening on 127.0.0.1:21152
1653466177334 geckodriver INFO Listening on 127.0.0.1:28225
Simon Bennetts
May 25, 2022, 6:24:56 AM5/25/22
to OWASP ZAP User Group
I suspect that will be it then.
Try using a command similar to the one on https://www.zaproxy.org/docs/docker/about/#automation-framework :
- docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh -cmd -autorun /zap/wrk/zap.yaml"
Cheers,
Simon
tuv..@gmail.com
May 27, 2022, 5:08:09 AM5/27/22
to OWASP ZAP User Group
Hello Simon
Thank you for your hints. Unfortunattelly changing command and addonupdate didn't help. It seems selenium trying to send command to Firefox driver through to specified random port (port number is always changing), but couldn't reach.
Could it be some network restriction of the host server of the docker image?
Regards
Thank you for your hints. Unfortunattelly changing command and addonupdate didn't help. It seems selenium trying to send command to Firefox driver through to specified random port (port number is always changing), but couldn't reach.
Could it be some network restriction of the host server of the docker image?
Regards
Reply all
Reply to author
Forward
0 new messages